Module 4

Protection of Information Assets

645. In order to protect its critical data from virus attacks an organisation
decides to limit internet access to its employees. What type of risk
response has the organisation exercised?
A. Mitigate
B. Avoid
C. Accept
D. Transfer
646. A production company decides to insure against production loss due to
natural calamities. What type of response is this classified as?
A. Mitigate
B. Accept
C. Transfer
D. Avoid
647. Implementation of Information system control in an organisation
ensures that:
A. Risk is transferred to another entity
B. Desired Outcome from business process is not affected
C. Losses are avoided
D. Incidents due to risk materialisation are avoided
648. Which of the following leads to destruction of information Assets such
as hardware, software and critical data?
A. Data error during data entry
B. Non maintenance of privacy with respect to sensitive data
C. Unauthorised access to computer systems
 D. Using systems that do not meet user requirements
649. Maintenance of privacy in relation to data collected by an organisation
is very important because:
A. Errors committed during entry would cause great damage
B. It has an impact on the infrastructure and business competitiveness
C. It can be easily accessed by third parties
D. It contains critical and sensitive information pertaining to a customer
650. The role of an internal auditor in Information Systems auditing
includes: A. Safeguarding data integrity
B. Attesting management objectives
C. Attesting System effectiveness and system efficiency objectives
D. Implementing control procedures
651. What does an external Information Systems auditor focus on?
A. Attesting objectives that focus on asset safeguarding and data
integrity
B. Attesting system effectiveness
C. Attesting system efficiency
D. Implementing control procedures
652. By auditing the characteristics of the system to meet substantial user
requirements, which control objective does an IS Auditor attest?
A. Data integrity objectives
B. System Effectiveness Objectives
C. Asset safeguarding objectives
D. System efficiency objectives
653. A statement of purpose achieved by implementing control procedures
in a particular IT process is defined as:
A. IS Control framework
B. Internal Controls
C. Control Objective

258
 Protection of Information Assets

D. Preventive Controls
654. Which of the following is an example of technical implementation of
Internal Control?
A. Outlining policies that safeguard information assets
B. Installing a security guard in the premises to restrict entry of
unauthorised persons
C. Locking the room containing sensitive documents
D. Investing in tools and software to restrict unauthorised access to
information
655. What are preventive controls?
A. those mechanisms which refer unlawful activities to the
appropriate person/group B. those controls which attempt to predict
potential problems before they occur
C. those mechanisms which modify the processing system to minimise
error occurrences
D. those controls which corrects the error arising from a problem
656. What are detective controls?
A. Provision for control of probable threats from materializing
B. Those controls that are designed to detect errors and omissions of
malicious acts
C. Those controls which assess probable threats
D. Those controls which minimise the impact of threat
657. What are corrective controls?
A. Those controls that correct an error once it has been detected
B. Those mechanisms which provide a clear understanding of the
vulnerabilities of an asset
C. Surprise checks by an administrator
D. Those mechanisms by which the management gets regular reports of
spend to date against a profiled spend
658. An organisation decides to control the access to a software application
by segregating entry level and updation level duties. What type of
internal control does this amount to?
A. Preventive Control
B. Detective Control
C. Corrective Control
D. physical implementation of a control
659. Under which type of control mechanism does taking a back up of
everyday activity classify as?
A. Detective Control
B. Preventive control
C. Corrective control
D. Administrative Implementation of Control
660. As an IS auditor, how would you rate a computerised detective control
which is moderately efficient and with corresponding corrective
action?
A. High
B. Low
C. Moderate
D. Blank
661. As an IS auditor, how would you rate a least effective and inefficient
manual detective control without corrective action?
A. High
B. Low
C. Blank
D. Moderate
662. Which of the following describes the role of a risk owner?
A. Ensuring that all control objectives that focus on asset safeguarding
and data integrity are attested

260
 Protection of Information Assets

B. Ensuring that the risk response is effective enough and is translated

into actions that will prevent and/or detect the risk.
C. Ensuring that all system effectiveness and system efficiency
objectives are attested
D. Ensuring that risk associated with a certain activity is mitigated either
by reducing likelihood or reducing impact
663. The process of Information Security does not end with implementation
of risk responses. The next step is to:
A. Facilitate to conduct risk assessment workshops
B. Ensure that KEY business risks are being managed appropriately
C. Plan the audit cycle according to the perceived risk
D. Ensure that the identified risk stays within an acceptable threshold
664. What process must an organisation follow to ensure that the identified
risk stays within the acceptable limits?
A. Evaluate the efficiency of the objectives of controls
B. Designing an effective internal control framework
C. Periodic review of the risk assessment exercise and proactive review
of possible risks
D. Optimise the use of various information resources
665. How does an IS auditor prioritise the controls that needs to be tested?
A. By reviewing the control catalogue (which is a collective record of all
controls implemented)
B. By reviewing control procedure documents
C. By facilitating risk assessment workshops
D. Planning the audit cycle according to the risks perceived
666. In case of control self assessment, who does the actual testing of
controls?
A. The owner of the identified risk for which the control has been
implemented
B. Internal auditor, during the audit cycle as planned
 C. Staff whose day-to-day role is within the area of the organisation
D. External auditor, while reviewing the management of KEY risks
667. Of the below mentioned roles, which one should an auditor refrain from
performing?
A. Giving assurance that the risks are being evaluated correctly
B. Implementing risk response on management’s behalf.
C. Evaluating the risk management process
D. Reviewing the management of KEY risks
668. Of the below mentioned roles, which one of the following should be
performed by an IS auditor?
A. Set the risk appetite
B. Impose risk management process
C. Evaluate Risk Management process
D. Take decision on risk responses
669. A data centre housing about 200 employees is involved in handling
businesses processes of multinational companies. For security
reasons, it decides to shift its network server and mail server to a
secluded room with restricted entry. What kind of internal control is
this?
A. Manual Preventive Control
B. Manual Detective Control
C. Computerised Preventive Control
D. Computerised Corrective Control
670. Company depends on an MIS given to it by an outsourced vendor to
identify payment defaulters and fine them. On further investigation
about the correctness of data supplied, he finds that though at the entry
level, a lot of mistakes are prone to happen, there are computerised
controls at the vendors end and also the company’s end at processing
level to minimise these. As an IS auditor, how would you rate efficiency
of these controls?
A. Blank

262
 Protection of Information Assets

B. Low
C. Moderate
D. High
671. The HR department of a company pays its employees medical claims
subject to a maximum limit per employee per year. For this, it relies on
data partaining to a full year downloaded through the appropriate
software. However, it does not have a proper back up or restoration
procedure in place. How will an IS auditor rate this?
A. High control
B. Low Control
C. Blank Control
D. Moderate Control
672. A data centre handling outsourced operations decides to set up a
parallel facility for its critical activities at some place other than its
present place of operations. This is done with an intention to facilitate
return of business to normal levels in case of impact of natural
disasters or unforeseen events. Under what security policy is this
categorised?
A. Business Continuity Management Policy
B. Acceptable use of Information Assets policy
C. Physical Access and Security Policy
D. Asset Management Policy
673. What are the three KEY objectives of Information Security Management
(CIA Triad)?
A. Compliance, Integrity and Availability
B. Confidentiality, Information Security and Availability
C. Confidentiality, Integrity and Availability
D. Confidentiality, Integrity and Asset Management
674. What does “Integrity” mean with respect to Information Security
Management?
A. No data/information or programs shall be allowed to be modified by
anyone without proper authority.
 B. No data or information is made available to any person within or
outside the organization, other than the persons who are authorized to
use that data.
C. All Information Systems including hardware, communication networks,
software applications and the data they hold, is available to authorized
users to carry out business activities.
D. Executive management endorsement of intrinsic security
requirements to ensure that security expectations are met at all levels
of the enterprise
675. What provides the basis for ensuring that information security
expectations are met at all levels of an enterprise?
A. Adopting an internationally recognized reference framework to
establish an Information Security framework
B. Successful establishment and endorsement of intrinsic security
measures by the senior management
C. Prioritising expenditures to mitigate risks and avoid spending more
resources in assessing risks
D. Ensuring that the framework followed to implement, maintain, monitor
and improve Information Security is consistent with the organisational
culture.
676. How does an enterprise ensure that the information present in any of its
business processes is protected and secure?
A. By ensuring that the framework followed to implement, maintain,
monitor and improve Information Security is consistent with the
organisational culture.
B. By adopting an internationally recognized reference framework to
establish an Information Security framework
C. By spending resources widely and transparently
D. By establishing and enforcing an Information Security Program
677. How does an enterprise demonstrate to staff, customers and trading
partners that their data is safe?
A. By establishing and enforcing an Information Security Program

264
 Protection of Information Assets

B. By ensuring that the framework followed to implement, maintain,

monitor and improve Information Security is consistent with the
organisational culture.
C. Adopting an information security standard
D. By spending resources widely and transparently
678. The IS policy of an enterprise that talks about protecting non-public
personal information from unauthorised use, corruption, disclosure
and distribution is:
A. Acceptable usage policy or Fair Use policy
B. Data classification and Privacy Policy
C. Physical Access and Security policy
D. Asset Management Policy
679. The policy which restricts the ways in which the network, website or
system may be used by a user of an enterprise is termed as:
A. Acceptable usage policy or Fair Use
policy B. Physical Access and Security
policy
C. Asset Management Policy
D. Business Continuity Management Policy
680. The IS policy which talks about protecting personnel and physical
property from damage or harm is termed as:
A. Asset Management policy
B. Business Continuity Management policy
C. Physical access and security policy
D. Password policy
681. What is the IS policy that defines the requirements for Information
Assets protection?
A. Business Continuity Management Policy
B. Asset Management Policy
C. Network Security Policy
 D. Password policy
682. The characteristics of a strong password that protects information
assets should be:
A. Maximum 8 characters, case specific
B. Minimum 8 characters, only alpha numeric
C. Minimum 8 characters, only alphabets and easy to remember D.
Minimum 8 characters, case specific and containing special
characters

683. What should be done to ensure that security policies are in tune with
the management’s intent?
A. Change passwords regularly
B. Restrict unauthorised access to facilities
C. Review the security policies periodically
D. Hold non public personal information in strict confidence
684. Policies are generic and sometimes cannot be enforced in specific
situations. Can there be a relaxation of adherence to policy in such
cases?
A. Yes. But, it is necessary to ensure that there are suitable
compensating controls
B. Yes. Policies can be relaxed in case of such situations unconditionally
C. No. Under no circumstances can an Information Security policy be
relaxed
D. Yes. Adherence to the policy can be relaxed for an indefinite period
for the specific activity only.
685. Standards, Guidelines and Procedures are the three elements of policy
implementation. In what order should they be followed for proper
implementation?
A. Guidelines, Procedures and Standards
B. Procedures, Standards and Guidelines
C. Standards, Guidelines and Procedures

266
 Protection of Information Assets

D. Guidelines, Standards and Procedures

686. With respect to Information Security, what does ‘Segregation of Duties’
mean?
A. No individual, of whatever seniority in the organization, should have
the ability to carry out every step of a sensitive business transaction.
B. The responsibility of powerful and KEY access to the system should
not be carried out by one person alone.
C. No person should be kept in one particular post for too long
D. Organisations should avoid situations where an individual becomes
indispensable to the business
687. In a bank, the chest in which cash is kept has to be opened with two
keys, one which is in the control of the manager and the other which is
in the control of the accountant/sub manager. Under what security rule
does this aspect classify?
A. Segregation of Duties
B. The ‘Four Eyes’ or ‘Two Person’ principle
C. Rotation of Duties
D. ‘KEY Man’ policies
688. An organisation which is IS compliant requires its employees to take
two weeks consecutive mandatory leave. Under which security rule
does this feature classify as?
A. Rotation of duties
B. ‘KEY Man’ policies
C. Two person principle
D. Segregation of duties
689. Every corporate asset, building, item of equipment, bank account and
item of information should have a clearly defined ‘owner’. What are the
responsibilities of the owner of such assets?
A. Adding and deleting user identifiers from the system
B. Defining security responsibilities for every person in the organization
C. Ensuring that the asset is well maintained, accurate and up to date
 D. Establishing and Implementing an effective IS program
690. When an owner is not able to manage a particular asset on a day to day
basis, the responsibility is passed on to a custodian. Which of the
following is an example of a custodian?
A. a vendor responsible for an outsourced activity
B. data center controlling access to production data
C. a subordinate doing the function of an owner during his absence
D. an auditor auditing the effectiveness of an asset
691. The actual security mechanism has its application in certain KEY tasks
of security systems. What are these called as?
A. Organisational control
B. Backup data
C. Control points
D. Operating System
692. Name the participant which ensures that all stakeholders impacted by
security considerations are involved in the Information Security
Management process.
A. Steering committee
B. Information Owner
C. Information Custodian
D. System Owner
693. Name the participant who ensures that security controls have been
implemented in accordance with the information classification.
A. information Custodian
B. Information Owner
C. System Owner
D. Process Owner
694. Name the participant who ensures safe keeping of information on behalf
of the information owner.
A. System Owner

268
 Protection of Information Assets

B. Process Owner
C. Information Custodian
D. System Administrator
695. Whose responsibility is it to ensure that adequate security is built once
the applications and systems have been acquired and are ready for use
in the production department?
A. System Owner
B. Process Owner
C. System Administrator
D. User Manager
696. Who is the person responsible for creating new system user accounts
and changing permissions of existing user accounts?
A. User Manager
B. System Administrator
C. Super User
D. Security Manager

697. Who holds the ultimate responsibility for all user id’s and information
assets owned by the company’s employees?
A. Super User
B. Security Manager
C. Steering Committee
D. User Manager
698. Who is responsible for defining security strategy and policies for an
organisation?
A. Steering Committee
B. Information Owner
C. Security Manager
D. Information Custodian
699. What is the role of Human Resources Security when the employment of
a person is terminated?
A. Ensure that access to sensitive data is revoked immediately
B. Define appropriate access to sensitive information for another person
C. Send regular updates in an effort to safeguard the data which was in
their possession
D. Educate the terminated employee to prevent data disclosure to 3rd
parties
700. What is ‘Acknowledge Policy’ with regard to Security Awareness
training program?
A. All employees are required to undergo security awareness training
B. All employees and third parties having access to sensitive information
have to complete training at least once a year
C. All employees are required to acknowledge that they have read and
understood the organization's information security / acceptable use
policy.
D. All employees have to go through a formal induction process
designed to
introduce the organisations security policies
701. What is the primary goal of configuration management?
A. Ensuring that changes to the system do not unintentionally diminish
security
B. Mitigate the impact that a change might have on the security of other
systems
C. Configuring systems to meet the security requirement of the
organisation
D. Updating the software with the latest versions of all applications
702. What is the objective of a non- disclosure agreement?
A. Identify functional and physical characteristics of each configuration
setting
B. Impose limitations on like organisations that operate in the same
competitive space

270
 Protection of Information Assets

C. Creates a confidential relationship between parties to protect any type

of confidential information
D. Follow a checklist to address whether any of the security holes remain
unplugged
703. What is the primary cause for lack of integration in system and security
design?
A. inadequacy of checklists as a means to address security concerns
B. limitations imposed on like organizations that operate in its
competitive space
C. the challenge of finding the right balance between protecting the
organization’s core assets and processes and enabling them to do
their job
D. systems and security design are undertaken in parallel rather than in
an integrated manner
704. What is a Denial-of-Service attack?
A. An attempt to make a machine or network unavailable to its intended
users.
B. Unauthorized access to an organisation’s internal network.
C. Illegal copying of software.
D. Creation of Internet Protocol (IP) packets with a forged source IP
address
705. What is ‘Phishing’?
A. Unauthorized real-time interception of a private communication
B. Attempting to obtain otherwise secure data by conning an individual
into revealing secure information
C. Trying to obtain information like user ID and password for bank
accounts, credit card pin etc. using electronic communication means
D. Exploiting vulnerabilities of a system to gain unauthorized access to
system or resources
706. What are ‘botnets’?
A. underground network established by hackers by sending malware
 B. targeted attack that continues for a sustained period for about a year
or more
C. attacks that are specifically targeted to selected organization
D. changing of data before or during entry into the computer system
707. What should be done to minimise damage from security incidents and
and to recover from them?
A. Report an incident to an appropriate authority to know what action
should be taken
B. Handle the incident independently and follow it up if required
C. Establish a formal incident response capability and centralise it with
the KEY roles and responsibilities
D. Plan and prepare a response system proactively in case of the
occurrence of an incident
708. Generating a higher level of compliance by creating realistic workable
policies is one way of increasing compliance to security policies. Which
guideline of implementation does this fall under?
A. Simplify enforcement
B. Increase Awareness
C. Communicate Effectively
D. Integrate Security with corporate culture
709. As part of auditing Information Security of a multinational bank, an
auditor wants to assess the security of information in ATM facilities.
Under which privacy policy should he look for details pertaining to
security guards and CCTV surveillance of ATM’s?
A. Acceptable use of Information Assets Policy
B. Physical Access and Security Policy
C. Asset Management Policy
D. Business Continuity Management Policy
710. You work in a company which has strict Information Security
Procedures. One of the requirements which you have to adhere to is
setting a strong login password. Which of the following is an example
of a strong password?

272
 Protection of Information Assets

A. Abcde
B. Rosy98
C. 31567
D. qqbRqs$W
711. The customer data for the loyalty card issued by a retail store is picked
from a form filled by the customer. The data from the form is entered
into software by data entry operators who report to a manager. In order
to protect customer data, segregation of duties are built in the software
in such a way that the operators have permission only to enter data.
Any editing or modification can be done only by the manager. It so
happens that the manager quits his employment and the store elevates
the position of one of the operators to that of a manager. Who do you
think is responsible for removing the permission of the exiting manager
and changing that of the new manager?
A. Information Owner
B. New Manager
C. System Administrator
D. Information Owner
712. The retail store (mentioned in question 3) has branches in locations
across India and the same process for collecting customer data for
loyalty programs is followed in all the branches. This data is then
consolidated into one database and is accessible across all branches.
The persons who are assigned responsibilities with respect to this
database are as follows:
• Management as Information Owners
• General Manager – Marketing: As custodian for the data
• General Manager – Operations: as owner of the process
• System Administrator
• Branch Manager
• Data Entry Operator
Who, do you think, is responsible for processing the information that
is received from the branches, checking it and circulating it?
A. Management
 B. General Manager, Marketing
C. General Manager, Operations
D. Branch Manager
713. In the same case as mentioned in Questions 3 and 4, who, do you think
is responsible for ensuring that the customer data is secure and
running regular back ups?
A. General Manager, Marketing
B. General Manager, Operations
C. Data Entry Operator
D. D. System Administrator
714. You are an Information Systems Security Awareness Training Manager
employed in a Multinational Bank. You have been part of a team that
has created a security training program including classroom, online
and web based trainings which is mandatory for all employees and third
parties who have access to the bank’s sensitive information. How
would you ensure that employees and third parties are continually
updated on latest issues?
A. By introducing them to the bank’s expectations with respect to
Information Security
B. By making Security Awareness training mandatory for the
management
C. By getting a written acknowledgement from employees that they have
read and understood the policy
D. By giving security awareness training to employees and third parties
at least once a year
715. A bank has outsourced certain processes related to its personal loans
unit to a third party vendor. As an IS auditor of the bank, what would
you look for to assure yourself that non- public business information
accessed by the third party vendor is protected and not misused?
A. A non -disclosure agreement signed by the vendor
B. Check if all employees of the vendor are given enough training
C. Verify if there are instances of data being misused earlier

274
 Protection of Information Assets

D. Check for a written acknowledgement from the vendor that they have
read and understood the company’s policy
716. Organisations have to identify the information that needs various levels
of protection and put them in the appropriate ‘bucket’. Why can’t the
entire information within an organisation be protected uniformly?
A. There is a great dependence on information by organizations
B. It provides a systematic approach to protecting information
consistently
C. Maintaining security in a network environment is complex
D. It will be a massive task to protect all information uniformly
717. How must an organisation ensure that its information is adequately
protected,
i.e., neither over protected nor under protected.
A. By training its employees who are using the information
B. By ensuring that its information is not shared in any network
C. By classifying its information and placing it in the appropriate bucket
D. By not sharing information with third parties
718. Information classification ensures that security controls are only
applied to information that requires such protection. What is the benefit
of such an exercise?
A. Reduces operational costs of protecting information
B. Helps the management access sensitive information
C. Ensures that such information is not shared with third parties
D. Ensures that such information is not accessible to employees
719. How does an organisation ensure that appropriate users gain access to
appropriate files?
A. By classifying users to groups
B. By classifying and labeling information
C. By not sharing information in the general network
D. By having a supervisor for groups who controls access
720. What are the factors to be considered for determining the level of
confidentiality of information?
A. Relevancy to a business transaction
B. Meeting particular compliance requirements
C. Changes to the content and external conditions of information
D. Appropriate User groups
721. An Information classification policy determines the accountability of
Information Owners, custodians and users. Who is responsible for
assigning classifications to information assets?
A. System Owner
B. Information Owner
C. System administrator
D. Process Owner
722. Under what information category does widely distributed product
brochures fall?
A. Sensitive Information
B. Client Confidential Information
C. Unclassified/Public Information
D. Company Confidential Information
723. Under what category does Company developed software
codes fall?
A. Sensitive Information
B. Client Confidential Information
C. Company Confidential Information
D. Unclassified/Public Information
724. Under what category does information received from clients fall?
A. Client Confidential Information
B. Company Confidential information
C. Unclassified/Public Information

276
 Protection of Information Assets

D. Sensitive Information
725. What is Personally Identifiable Information (PII)?
A. Personal Information of any person who needs to provide this to
the organisation
B. Information held by an organisation which can identify a
stakeholder
C. Personal Information pertaining to the employees of an organisation
D. Personal Information pertaining to the third parties associated with the
organisation
726. What is the standard that must be complied with by all those deals with
credit/debit cards?
A. PCIDSS
B. Electronic Communications Privacy Act
C. Information Technology Acct 2000
D. Regulations mandated by Reserve Bank
727. What is the Act which mandates how financial institutions must deal
with the private information of individuals?
A. Information technology Act 2000
B. Video Privacy Protection Act
C. Gramm-Leach-Bliley Act
D. Electronic Communications Privacy Act
728. Which of the following does not classify under Personally identifiable
Information?
A. Company advertisement information
B. Medical information of patients
C. Location information of clients
D. Information collected by websites
729. How is information classification applied for information contained in a
critical database?
 A. at the file or data level
B. to the entire database
C. to each individual document
D. at column level at the discretion of the information owner
730. How can critical data be protected during transmission, processing and
storing?
A. By keeping the information physically secured
B. By encrypting
C. By controlling access
D. By taking a backup

731. What are the solutions referred to under DLP (Data Leak Prevention)?
A. Protecting data based on the rule set and classification
B. Expecting creator of data file to choose who shall access data
C. Authenticating users out of the organisation
D. Working at data base level and managing the access rights
732. What is the pre requisite for successful implementation of data
protection tools like DLP, DRM and DAM?
A. Identifying information resources
B. Creating an information risk profile
C. Creating appropriate rule set and classification based on impact of
risks
D. Establishing a process for data classification
733. Which of the following is a risk associated with Portable Devices?
A. Users can access Company’s internal information from anywhere
B. It is prone to physical security problems because of availability within
the workplace
C. Unauthorised users may access hard copy of electronic data

278
 Protection of Information Assets

D. Its overall security is dependent on the physical security of the work

stations
734. What are network devices?
A. Device in which all data in a network is placed
B. Devices deployed for establishing communication
C. Devices installed by telecom companies to facilitate mobile
communication
D. Devices that facilitate accessing data from anywhere
735. In order to ensure the privacy of personal information of an individual,
a company has to:
A. Write policies and procedures
B. Define roles and responsibilities
C. Implement an effective privacy program
D. Define incident response plans
736. An auditor need not involve in one of the following while evaluating an
organisation’s privacy framework. Which is it?
A. Liaise with in-house legal counsel to understand legal implications
B. Design Incident response plans
C. Liaise with information technology specialists to understand security
implications
D. Understand internal policies and guidelines
737. An insurance company is in the process of classifying its information
according to its sensitivity. If you formed a part of the team responsible
for this classification, how would you classify personal information
pertaining to insurance holders as?
A. Unclassified/Public Information
B. Sensitive Information
C. Client Confidential data
D. Company Confidential data
738. You head a data processing center which handles an outsourced
activity of employee medical reimbursements of a multinational. You
 have employed professionals who have developed the required
software for the activity and who maintain the same. Under which of the
following would you classify the software codes?
A. Client Confidential Data
B. Company Confidential Data
C. Sensitive Information
D. Unclassified data
739. The personal loans department of a bank maintains a database of
personal information of its customers who have availed loans. This
database is used for various purposes by the bank. As an IS auditor
you find that there are security breaches related to this information.
Under what Act would the company be liable?
A. PCIDSS
B. Information Technology Act 2000
C. Gramm Leach Bliley Act
D. Video Privacy Protection Act
740. As an employee of the HR department of a multinational company, you
are required to send through email, sensitive data pertaining to the
employees of your organisation to a data centre for processing. Though
there is approval from the management that the data centre can have
access to this data, there is a precautionary measure that you should
take while transmitting this data. Which of the following is it?
A. Encrypting the data before sending
B. Taking a back up before sending
C. Sending information only on a need to know basis
D. Setting strong access controls at the vendors site
741. Which of the following is not a part of Physical Access Control?
A. Preventing unauthorised physical access to resources
B. Protection of information in stored, transit and processing stages
C. Control entry during and after normal business hours
D. Identification checks

280
 Protection of Information Assets

742. Which of the following is an information asset that need not be included
in physical access control?
A. Information in transit through mail
B. Primary computer facilities
C. Micro computers
D. Printers
743. Which of the following is not a physical access control?
A. Manual doors or cipher KEY locks
B. Protecting data with passwords
C. Controlling the reception area D. Logging in
visitors
744. Threats to Information Assets like computing equipment, media and
people are known as:
A. Cyber threats
B. Environmental Threats
C. Physical Threats
D. Logical Access Threats
745. “Preventing modification of data by unauthorised personnel” falls
under which core principle of Information Safety?
A. Integrity
B. Confidentiality
C. Availability
D. Security
746. Under what category of Physical Security threat does poor handling
and cabling of electronic equipments fall?
A. Electrical
B. Environmental
C. Maintenance
D. Hardware
747. Which of the following is not a source of Physical Security threat?
A. Uncontrolled/Unconditioned Power, Low voltage
B. Physical Access to IS resources by unauthorised personnel
C. Discontented or disgruntled employees
D. Interested or Informed outsiders
748. In an organisation there are instances of employees using the internet
for personal purposes. Under what threat is this classified?
A. Logical access threat
B. Environment threat
C. Improper physical access threat
D. Electrical threat
749. Viewing or copying of sensitive information by visitors who have gained
unauthorised access to the same is:
A. An Improper Physical Access Exposure
B. An Unintentional or Accidental Exposure
C. A Deliberate Exposure
D. An Environmental Exposure
750. If windows exist in a data centre, they must be translucent and
shatterproof. Why?
A. To avoid data leakage through electromagnetic radiation
B. To prevent anyone from peeping and viewing data
C. To avoid environmental threats to physical systems
D. To avoid theft of physical assets
751. Why audit trials and control are logs important for Security
Management?
A. To know where access attempts occurred and who attempted them
B. To reduce unauthorised access to sensitive information
C. To prevent modification or deletion of file content
D. To prevent unintentional physical access

282
 Protection of Information Assets

752. What is the first step once an unauthorised event is

detected?
A. Process owner should investigate and take action
B. The incident should be reported to the appropriate authority
C. Security administrator should effect modifications to the security policy
D. Should be effectively handled to mitigate losses
753. Which of the following is not a Human Resource
Control?
A. Providing identity cards
B. Providing training in Physical Security
C. Locking system screens when not in seat
D. Monitoring behavior
754. The most important human resource control is:
A. Providing access cards to employees
B. Assigning responsibilities to employees
C. Provide training to employees
D. Escort terminated or resigned/retired employees
755. Which of the following is a perimeter security?
A. Screen savers
B. Passwords
C. Access cards
D. Guards
756. Which of the following is not a perimeter security?
A. Compound walls and Fencing
B. Lighting exteriors
C. Encrypting data in transit
D. Bolting door locks
757. What perimeter security is used to reduce the risk of piggy backing?
 A. Dead man doors
B. Bolting door locks
C. Combination or Cipher locks
D. Compound walls
758. The advantages of Electronic door locks do not
include:
A. Distinguishing between various categories of users
B. Most secure locks since they enable access based on individual
features such as finger prints
C. Restricting individual access through the special internal code
D. Deactivation of card entry from a central electronic control mechanism
759. Which of the following is a disadvantage of a Biometric Door lock?
A. Easy duplication
B. Is not as sophisticated as electronic door locks
C. High cost of acquisition, implementation and maintenance
D. They are not very secure
760. A device which creates a grid of visible white light or invisible infra red
light, which when broken activates an alarm is:
A. Photo electric sensors
B. Dry contact switches
C. Video cameras
D. Identification badges
761. The process requiring all visitors to sign a visitors log at the time of
entry/exit is known as
A. Electronic logging
B. Manual logging
C. Controlled visitor access
D. Controlled single point access

284
 Protection of Information Assets

762. A card reader that senses the card in possession of a user in the general
area and enables faster access is:
A. Wireless proximity readers
B. Motion detectors
C. Cable locks
D. Identification Badges
763. Lockable switches that prevent a KEY board from being
used is:
A. Switch controls
B. Biometric Mouse
C. Laptop security
D. Peripheral switch controls
764. A smart card used for access control is also called a security access
card. Which of the following is not a type of smart card?
A. Identification cards
B. Photo Image Cards
C. Digital coded cards
D. Wireless proximity readers
765. Which of the following is not a biometric characteristic?
A. Finger prints
B. Retina scans
C. Passport photo
D. Palm scans
766. Name the performance measure in biometrics which is the percentage
of invalid subjects that are falsely accepted.
A. False Rejection Rate (FRR)
B. False Acceptance Rate (FAR)
C. Crossover Error Rate (CER) D. Throughput rate
767. With respect to biometrics evaluation, how is the time taken to register
with a system referred as?
A. Enrolment time
B. Throughput rate
C. Acceptability
D. Registration time
768. With respect to audit of physical access controls, what does controls
assessment mean?
A. Ensuring that the risk assessment procedure adequately covers
periodic and timely assessment of all assets
B. Evaluating whether physical access controls are in place
C. Examining relevant documentation such as the security policy and
procedures, premises plans, building plans, etc
D. Reviewing physical access controls for their effectiveness.
769. The review of physical access controls by an auditor need not include:
A. Observing safeguards and Physical access procedures
B. Interviewing personnel to get information of procedures
C. Authorising special access
D. Touring organisational facilities
770. What should an auditor check for in case of employee
termination?
A. The employees tenure and his conduct during the same
B. Withdrawal and deactivation of access rights
C. Whether appropriate rights have been granted to the replacement
D. Whether there is any due from the employee to the organisation
771. What is the review procedure that should be adopted by an auditor to
ensure that there is adequate security at entrance and exits?
A. Review physical layout diagrams , risk analysis, procedure for
removal and return of storage media, knowledge and awareness of
emergency procedures by employees

286
 Protection of Information Assets

B. Inspect guard procedures and practices, and facility surveillance

system apart from assessing vehicle and pedestrian traffic around
high risk facility
C. Review security policies and procedures at enterprise level and
system level are aligned with business stated objectives
D. Review employee and visitor entry logs, entry/exit procedures used by
management, documentation of logs
772. From the perspective of environmental exposures and controls, how are
computer rooms, server rooms and printer rooms categorised?
A. Information System supporting infrastructure or facilities
B. Hardware and Media
C. Documentation
D. Supplies
773. Which of the following is a natural environmental threat?
A. War action and Bomb threats
B. Air conditioning failure
C. Earthquakes
D. Undesired activities in computer facilities such as smoking
774. Which of the following is a man-made environmental threat?
A. Extreme variations in temperature
B. Static Electricity
C. Humidity, vapors, smoke and suspended particles
D. Fire due to negligence and human action
775. Given below are some examples of exposures. Which of these do not
pertain to violation of environmental controls?
A. The possibility of a fire destroying valuable computer equipment due
to use of inflammable material for construction of server cabin
B. The possibility of Unauthorised access to sensitive data through
hacking
C. The possibility of a fire due to poor cabling
 D. The possibility of damage of keyboards and other devices due to
accidental dropping of beverages
776. What is a sudden rise in in voltage in the power supply known as?
A. Surge
B. Blackout
C. Sag/dip
D. Transient
777. Which of the following need not be considered while choosing a safe
site?
A. Probability of natural disasters
B. Transportation
C. Proximity to other like companies
D. External services like police, fire, hospital etc
778. While designing a site, it is important that the location of media libraries
is:
A. Fungi Resistant and heat resistant
B. Easily accessible
C. Not easily accessible
D. Outside the work area
779. The organisation should consider newer environmental threats like
generator installation by a neighbor or sudden changes in climate as
part of:
A. Facilities planning
B. Choosing a site
C. Designing a site
D. Documentation
780. New employee induction programs should be conducted as part of:
A. Documentation
B. Facilities planning

288
 Protection of Information Assets

C. People Responsibility and training

D. Emergency plan
781. An effective emergency plan of an organisation should include:
A. Detailed analysis of third party and outsourced vendors/suppliers
B. Evaluation of effectiveness and efficiency of environmental facilities
C. Preventive maintenance plans
D. Control Action, Evacuation plan and paths
782. How can an organisation reduce Mean Time to
Repair/recover/respond/restore (MTTR)?
A. By stocking spare parts on site
B. By planning for environmental controls
C. By identifying, parameterizing and documenting risks of utility failure
D. By evaluating alternatives with low MTBF
783. Listed below are some of the controls to ensure uninterrupted supply of
clean power. Out of these which is the equipment which cleanses the
incoming power supply of problems such as spikes, sags, etc.?
A. Generators
B. Electrical surge protectors/line conditioners
C. Uninterruptible power supply (UPS)
D. Power leads from two substations
784. How does a smoke/fire detector function?
A. Activate audible alarms on sensing a particular degree of smoke or
fire
B. Activate audible alarms and are linked to monitoring stations within
and outside the organisation
C. Activate an audible alarm on detecting water
D. Switches off power in case of emergency situations like fire etc.
785. How are fires caused by flammable liquids and gases
suppressed?
 A. Water or soda acid
B. Dry powder
C. Carbon dioxide, soda acid or FM200
D. Gas based systems
786. Which of the following is a gas based fire suppression
system?
A. Wet pipe sprinklers
B. FM 200
C. Dry pipe sprinklers
D. Pre action
787. How does an auditor ensure that there are safeguards against the risks
of heating, ventilation and air-conditioning systems?
A. Review heating, ventilation and air-conditioning design
B. Review any shielding strategies
C. Verify critical systems and emergency power supplies
D. Interview officials and review planning documents
788. How does an auditor ensure that adequate environmental controls have
been implemented?
A. Interview security personnel to ensure their awareness and responsibilities
B. Verify critical systems and emergency power supplies
C. Interview staff, determine humidity, temperature and voltage are
within acceptable levels
D. Interview officials and review planning documents and review training
records and documentation
789. Which of the following is not a component in the information systems
infrastructure between the user and the Data Base?
A. Network operating systems
B. Application software
C. Physical documents

290
 Protection of Information Assets

D. Data Base Management System

790. What is the task of an auditor when evaluating the risks associated with
hardware components?
A. Consider vulnerabilities of different communication channels and
devices like workstations, peripherals etc.
B. Ensure that logical access to system software are controlled to detect
changes in system configuration
C. Evaluate the access security enforced by the DBMS
D. Focus on the effectiveness of boundary controls and I/O controls
791. What are the tasks of an auditor while evaluating the vulnerabilities of a
Data Base Management System (DBMS)?
A. Evaluate access permissions configured in software
B. Evaluating the access security enforced by the DBMS
C. Ensure that logical access to system software are controlled to detect
changes in system configuration
D. Focus on the effectiveness of boundary controls and I/O controls
792. What is Masquerading?
A. Disguising or Impersonation
B. Using an unattended terminal
C. Tapping a communication cable
D. Flooding Memory buffers and communication ports
793. What is Phishing?
A. Requesting personal details over phone posing as an originator
B. Sending a mail posing as an originator (ex. bank) requesting to
provide
information by clicking a link
C. Installing software that captures user information like login id and
password
D. Specially design programs that captures and transmits information
794. What are malicious codes that attaches to a host program and
propogates when an infected program is executed?
 A. Worms
B. Trojan Horses
C. Viruses
D. Logic Bombs
795. What is a macro virus?
A. A virus that infects Microsoft Word or similar applications
B. A virus that hides itself from anti virus software
C. A virus which encrypts itself and is very hard to detect
D. Software that tracks the internet activities of the user

796. Which of the following is not a characteristic of Logic

Bombs?
A. This blows up on the occurrence of a logical event
B. These are programmed to open specific ports to allow access for
exploitation
C. This checks whether a particular condition has been met to execute
the logic code
D. These are very difficult to detect as its destructive information set is
known only after it is executed
797. Which of the following is not a characteristic of a Macro Virus?
A. When executed unwittingly by a user, it copies itself to the
applications start up
files
B. Its infection spreads to other machines on a network
C. These are relatively harmless
D. This can assume over two billion two billion different identities
798. User Registration is generally approved by:
A. User himself
B. IS Auditor
C. User Manager

292
 Protection of Information Assets

D. System Administrator
799. On what basis are access privileges assigned to a user?
A. Seniority level
B. Expertise and qualification
C. Job requirements and responsibilities
D. There is no basis. It is randomly assigned
800. In password management, how can misuse of passwords by system
administrators be prevented?
A. Force change on first login by the user
B. Secure communication of password to user
C. By generating hash while storing
D. By taking an undertaking from the system administrator

801. Which of the following is not mandatory for good password

management?
A. All passwords should be authenticated
B. Password expiry must be managed as per policy
C. Every user’s password should be known to the user manager
D. Users have to be educated and made responsible for their password
802. How is it possible to detect excess rights due to changes in
responsibilities, emergencies etc.?
A. By assigning access privileges
B. By getting the password of the user
C. By a person who has administrative privileges
D. By Periodic review of user’s access rights
803. What must an IS auditor ensure while reviewing access controls related
to user id and passwords of default users with administrative
privileges?
A. They can remain but it should be known to the organisation
 B. These user ids should be disabled and passwords changed
C. Default users cannot have a user id or password
D. Default users should be educated about their responsibility
804. What is segregation of networks with respect to network access
control?
A. Isolation of network from internet usage service availability
B. Aligning internet service requirements with the business need
policy C. Restriction of traffic between networks
D. Specifying the exact path or route connecting the network
805. Name the control which helps in auditing and tracking of transactions
along with date and time?
A. Segregation of Networks
B. Network connection and routing control
C. Clock synchronisation
D. Enforced path
806. A user is allowed to access only those items he is authorised to access.
How is access to information prevented in an application?
A. By application specific menu interfaces
B. System Access is monitored
C. By Event logging
D. By monitoring system use
807. In operation system control, what is the use of system utilities?
A. Ensures that a particular session can be initiated from a particular
location
B. Help manage critical functions of the operating system
C. Provides means to alert authorities if users are forced to execute
instructions
D. Prevents unauthorised access by limiting time slot
808. Methods like Biometric Authentication or digital certificates are
employed for which aspect of operating system control?
A. Password Management

294
 Protection of Information Assets

B. Terminal log on procedures

C. User identification and authentication
D. Automated terminal identification
809. What are ‘Audit Trails’?
A. History of transactions
B. Record of system activities enabling examination of a transaction
C. Attempts to gain unauthorised access to system
D. Unauthorised privileges granted to users
810. What is authentication with regard to Access Control Mechanism?
A. Process by which user provides a claimed identity
B. Process by which a user is allowed to perform a pre determined set of
actions
C. Prevention of unauthorised access by a user
D. Mechanism through which user’s claim is verified
811. A physical/biometric comparison falls under which category of
authentication factor?
A. Something the user is
B. Something the user knows
C. Something the user has
D. Two factor authentication
812. Which is the authentication technique which allows the password to be
based on changing input rather than just time?
A. Passwords
B. Challenge response
C. PIN’s
D. One time passwords
813. What is the attacking technique in which the attacker uses a malicious
software to steal passwords and other information?
A. Trojan attack
 B. Brute force
C. Dictionary attack
D. Spoofing attack
814. Automatic log out after a predetermined period of inactivity is a
technique used against which type of attack?
A. Spoofing attacks
B. Dictionary attacks
C. Piggy backing
D. Trojan attack
815. Which of the following is the feature of a Smart token only?
A. Contains information such as name, identification no, photograph etc
B. Contains a magnetic strip which stores information
C. The user is required to KEY in remembered information
D. Contains a processor chip which enables storing dynamic information
816. In which of the following tokens does the card contain a bar code which
is read when brought in proximity to the reader device?
A. Processor based proximity reader
B. Smart tokens
C. Static proximity reader
D. Memory tokens
817. In Biometrics, what is the Crossover Error rate (CER)?
A. A very low FRR
B. The point at which FRR equals FAR
C. A very high FAR
D. The point at which FAR and FRR are zero
818. Which of the following is not a function of the operating system?
A. Provides independent user and access privilege management
mechanism

296
 Protection of Information Assets

B. Supports execution of applications and enforces and security

constraints defined at that level
C. Isolates processes from each other and protects permanent data
stored in its files
D. Provides controlled access to shared resources
819. The flexibility of a Pluggable authentication module
allows to:
A. Execute applications and support any security constraints
B. Use multiple authentications for a given service
C. Provide controlled access to shared resources
D. Use physiological and behavioral characteristics to identify user
820. Most operating systems have at least three types of file permissions:
read, write and execute. The least access that have to be given to users
is:
A. Write
B. Execute
C. Read
D. Read and Write
821. When a system receives a request, how does it determine access rights
for the particular request?
A. By authenticating the password entered by the user
B. By using the access matrix
C. By consulting a hierarchy of rules in the Access Control List
D. By a challenge response
822. What does an Access Control Entry in an ACL
consist of?
A. Name of the database and its path
B. Name of the user and his reporting structure
C. Name of the user and his group or role
 D. Name of users and their access privileges
823. The core objective of an IdM system in a corporate
setting is:
A. One identity per individual
B. One user per database
C. One role per individual
D. One user one group
824. Which of the following does not form a part of Identity
Management?
A. Controls User Access Provisioning Lifecycle
B. Maintains the identity of a user and actions they are authorised to
perform
C. Determines which user can access which resource
D. Manages descriptive information about the user
825. System administrators/Network Administrators who have the powers to
create or amend user profiles are:
A. Privileged users
B. Administrative users
C. Special users
D. Maintenance users
826. A privileged user can use the user account that has privileged access
for only:
A. Normal business use
B. Non privileged activities
C. Privileged activities
D. Logging in to a system
827. What is a ‘back door’ or ‘trap door’?
A. Flaw that allows data to circumvent the encryption process
B. Bypass which is a means of access for authorised access

298
 Protection of Information Assets

C. Flaw that allows an attacker to circumvent security mechanisms

D. Mechanism put in place by an attacker
828. What are the rows of an access control matrix
called?
A. Access Control lists
B. Subjects
C. Objects
D. Capability lists
829. What is the major concern of using group/generic ids?
A. Fixing accountability of actions to individual
B. It needs special approval
C. It is not allowed in ERP packages
D. It is not wise to share user id with others
830. What is the specialty of a Single Sign On session?
A. User ids and passwords are shared among select users
B. A single user id and password to log on to all required applications
C. Verifies that the users are whoever they claim to be
D. Verifies that the network components used by the users are within
their permission profile

831. What is the function of Active Directory (AD) domain controller?

A. Accesses and maintains distributed directory information services
over an Internet Protocol network
B. Plays an important role in developing intranet and internet
applications by allowing the sharing of information by users
C. Authenticates and authorises all users and computers in a Windows
domain type network
D. Verifies that users are who they claim to be and the network
components they use are within their profile
832. Which authentication mechanism issues ‘tickets’ which have a limited
life span and are stored in the users credential cache?
A. AD
B. LDAP
C. Kerberos
D. DNS
833. Which of following is an advantage of Single Sign On?
A. Easier administration of changing or deleting passwords
B. It can avoid a potential single point of failure issue
C. Maintaining SSO is easy as it is not prone to human errors
D. It protects network traffic
834. In a SSO system, once a user’s identity and authentication is
established, on what basis are access criteria determined?
A. All identified users are granted access
B. Based on Roles, groups or network location
C. All authenticated users are granted access
D. It is not necessary to establish identity or authenticity
835. In a Single Sign On system, all access criteria should default to:
A. No access
B. Full access
C. Granting access to all identified users
D. Granting access to all authenticated users
836. What should an access control mechanism ensure?
A. Subjects should be identified before they are granted access
B. All subjects that are authenticated should be authorised to access
objects
C. All Objects can be accessed by authorised subjects

D. Subjects gain access to objects only if they are authorised to

300
 Protection of Information Assets

837. This is a multi- level secure access control which defines a hierarchy
of levels of security.
A. Discretionary Access Control
B. Mandatory Access Control
C. Role Based Access Control
D. Database Access Control
838. Which of the following is a feature of Role Based Access Control?
A. Multilevel secure access control mechanism
B. The Matrix defines the whole state of the system
C. Systems are centrally administered and are nondiscretionary
D. Access control lists are used to store the rights with object
839. Access to database can be controlled through permission settings. On
what basis is this permission system designed?
A. Principle of least privileges
B. Permissible values or limits
C. Approval by data owner
D. Access levels
840. What permissions does a user with ‘Manage’ access level have with
regard to a database?
A. View, Edit, Add and delete
B. View, add, edit and delete (only information added by them)
C. View, Edit, Add, Delete and change database design
D. Only view
841. When access to database is controlled through application software,
how is maintenance of database done?
A. Users are granted access for maintenance
B. Direct access is granted to DBA
C. Direct access is granted to system administrator
D. User managers are granted access
842. What is user access to applications with respect to their job
responsibilities or logical access control called?
A. User Password Management
B. Equipment Management
C. Privilege Management
D. Network Management
843. Which of the following operating system access control ensures a
particular session is initiated from a particular location or computer
terminal?
A. Automated Terminal Identification
B. Terminal Log On Procedures
C. Password Management Stem D. User identification and
Authentication

844. Which of the following is a process by which a user provides a claimed

identity to access a system?
A. User Authorisation
B. User Registration
C. User Identification
D. User logging
845. What are the three steps in the process of access control mechanism?
A. Authorisation, information and identification
B. Synchronisation, verification and authentication
C. Identification, authentication and authorisation

D. Synchronisation, identification and authentication

846. In _________ authentication techniques, the system authenticates the

user and enables access to resources based on the authorisation
matrix.
A. Token or smart card

302
 Protection of Information Assets

B. Password
C. Biometric comparison
D. Personal Identification Number (PIN)
847. Which of the following is the weakness of the password logon
mechanism?
A. Periodic changing of password
B. Encrypted password
C. Repeated use of the same password
D. One user one password
848. _________________ is defined as automated mechanism, which uses
physiological and behavioral characteristics to determine or verify
identities.
A. Biometrics
B. Plastic cards
C. Logon/password systems
D. Smart Cards
849. What is/are the error(s) caused by biometrics due to the complexity of
data?
A. False Rejection Rate (FRR)
B. False Acceptance Rate (FAR)
C. Crossover Error Rate (CER)
D. FRR and FAR
850. Facial scan, iris and retina scanning are used in _______________.
A. Biometric security
B. Smart tokens
C. Bio direct security
D. Backup security
851. Which of the following provides system administrators the ability to
incorporate multiple authentication mechanisms into an existing
system using pluggable modules?
A. Personal Authentication Module
B. Password Processing Module
C. Pluggable Authentication Module
D. Login identification Module
852. Access privileges of a user for two entities, A and B for read and write
are maintained in the _____________ within an application.
A. Actual access control list
B. Access control list
C. Acquired control entry
D. Secret policy entry
853. The characteristic of network that improves reliability and performance
due to dynamic routings between two end points is better known as:
A. Anonymity
B. Automation
C. Routing diversity
D. Opaqueness
854. Network establishes communication among disperse users/machines.
Which of the following is a disadvantage of this characteristic of
networks?
A. Risks like impersonation, intrusion, tapping
B. Very fast communication speed
C. Physically far end points
D. Humans cannot tell the location of the remote site
855. What is the program that an attacker uses which reports to him which
ports responds to messages and the vulnerabilities present in each
port?
A. Social Engineering
B. Dumpster diving

304
 Protection of Information Assets

C. Port Scan
D. Malware
856. What does Social Engineering involve?
A. Gathering bits of on formation from various sources
B. Using social skills to persuade a victim
C. Looking through items that have been discarded
D. Eavesdropping
857. ‘Dumpster Diving’ is a commonly used ________________ technique.
A. Reconnaissance
B. Social Engineering
C. Documentation
D. Application fingerprint
858. The process by which an attacker comes to know about the commercial
server on which an application is running, the version and operating
system for the same is known as:
A. Biometrics
B. Protocol flaws
C. Wiretapping
D. OS and Application Fingerprinting
859. How does an attacker use Malware to gather information?
A. Investigate a product that can be the target of an attack
B. Search for additional information on systems, applications or
sites
C. Scavenge the system and receive information over network
D. Post latest exploits and techniques
860. The process by which an attacker picks off the content of a
communication passing in an unencrypted form is known as:
A. Eavesdropping B. Wiretapping
C. Microwave signal tapping
 D. Satellite signal interception
861. What is active wiretapping?
A. Listening to communications intentionally
B. Overhearing without extra effort
C. Injecting something into the communication stream
D. Placing an illegitimate antenna to intercept communication
862. The costs of intercepting satellite communications are very high
because:
A. All traffics passing through a node have to be monitored
B. Neither the sender nor receiver should know that contents have been
intercepted
C. Satellite communications are heavily multiplexed
D. Cost of placing an illegitimate antenna is more
863. A wireless signal can be picked up easily within 60
meters. Why?
A. The signal is strong up to 60 meters
B. The signal is weak up to 60 meters
C. There is no signal up to 60 meters
D. The signal is strong after 60 meters
864. It is not possible to tap an optical system without detection. Why?
A. Optical fiber carries electricity but does not emanate a magnetic field
B. Optical fiber carries light energy which does not emanate a magnetic
field
C. An optical signal is not very strong and hence cannot be picked up
D. An antenna needs to be placed to intercept which is detectible
865. A term used for a virtual network of zombies used to launch attack on a
system is:
A. BOTnets
B. Spam

306
 Protection of Information Assets

C. Malware
D. Spoofing
866. An employee who is on leave reveals his authentication details to
another in order to allow access to carry out urgent activities in his
absence. It so happens that these details are passed on without
encryption. How is the employee making his authentication information
vulnerable to an impersonator?
A. The impersonator can guess the identity by using common passwords
B. The impersonator can exploit flaws and weaknesses of the operating
system
C. The attacker can circumvent or disable the authentication mechanism
D. These details can be rescued by an impersonator by eavesdropping
or
wiretapping
867. An organisation purchases 10 new systems which are installed by the
seller using a test account without any password. However,
authentications are put in place and users access information after
proper authentication. But the test account has not been deleted. How
can an impersonator foil authentication in this case?
A. Information can be accessed through session hijacking
B. Information can be hijacked by intruding between two authenticated
users
C. Information becomes vulnerable through well- known test password
D. Information can be accessed through spoofing or masquerading
868. Not only is the message itself sensitive but the fact that a message
exists is also sensitive. How can an attacker infer that sensitive
messages exist between two confidential parties?
A. Traffic flow analysis
B. Using exposures as part of attack
C. By modifying a destination address
D. Taking advantage of mis-delivery due to congestion at network
elements
869. Which of the following amounts to compromising the integrity of
messages?
A. Mistyping an address so that it reaches the wrong recipient
B. Mis-delivery of messages due to some flaw in the network hardware
or software
C. Exposure of messages in temporary buffers
D. Combining pieces of different messages into one false message
870. It is easy for an attacker to obtain information necessary to attack the
website. How?
A. Website codes are downloaded and executed in the browser from
which the information can be obtained
B. The attacker exploits vulnerabilities in multiple machines and uses
them to attack the target simultaneously.
C. An attacker can monitor the communication between a browser and a
server to see how changing a web page entry affects what the
browser sends and reacts.
D. attackers execute scripts in the victim’s browser which can hijack user
sessions
871. What is ‘Ping of Death’?
A. Sending more data that what a communication system can handle,
thereby
preventing receipt of legitimate data
B. Crashing a large number of systems by sending a ping of certain size
from a remote machine
C. Corrupting the routing so that traffic can disappear
D. corrupting a name server or causing it to cache spurious entries,
thereby redirect the routing of any traffic
872. What are the multiple machines that are used by an attacker for DdS
attacks called?
A. Cookies
B. Routers
C. Zombies

308
 Protection of Information Assets

D. FTP
873. A code which can cause serious damage to a system because it is not
screened for safety when it is downloaded and runs with the privileges
of its invoking user is called:
A. Hostile applet code
B. Cookies
C. Scripts
D. Active X
874. A virus that is difficult to detect because it modifies itself and changes
its identity thus hiding itself from antivirus software:
A. MBR Virus
B. Stealth Virus
C. Polymorhic virus
D. Macro Virus
875. What is a Trojan Horse?
A. Virus that affects the boot sector of storage device
B. Virus that affects applications like Microsoft Word and Excel
C. Stand- alone viruses that are transmitted independently
D. Malicious codes hidden under a legitimate program
876. Malicious codes added to an existing application to be executed at a
later date is known as:
A. Logic bomb
B. Trojan Horse
C. Polymorphic virus
D. Stealth virus
877. What is the method used by most of the antivirus software to identify
virus infections in a system? A. Monitoring traffic
B. Signature detection
C. Repair or quarantine
 D. Scan processes
878. When do injection flaws occur?
A. When untrusted data is sent to an interpreter as part of a command or
query
B. When application functions related to authentication and session
management are not implemented correctly
C. When an application takes untrusted data and sends it to a web
browser without proper validation
D. When a developer exposes a reference to an internal implementation
object
879. What is a Cross Site Request Forgery Attack?
A. It forces a logged on victim’s browser to send a forged HTTP request
B. It forges request in order to access functionality without proper
authorisation
C. It helps steal or modify weakly protected data
D. It facilitates serious loss or data takeover
880. In case of advanced persistent threat why is an antivirus unable to
detect the malware?
A. The attack is on an identified subject
B. Social engineering methods are used
C. Malware is specifically written for this purpose
D. The attack continues for a longer duration
881. In order to limit the amount of damage a single vulnerability can allow,
it is important to:
A. All servers reside on a single segment
B. There should be different segments for different servers
C. Having a single web server
D. Eliminating single points of failure
882. Where does encryption occur when data is encrypted in link encryption?
A. Data link layer of the receiving host

310
 Protection of Information Assets

B. Network layer
C. Data link layer in the OSI model
D. In transit between two computers